NEW @ IPS

a.shaukat · ‎05-16-2007

hi.. im new to IPS .. i got my sensor back again ( lost the previous password) . so i reinstalled IPS v 5.0 and upgraded to 6.0.

Ran the initial setup with basic ACLs

what more ?? whats the virtual sensor for ?

what does the licensing feature do ? like what can or cant i do with or without it ?

emm anything else that can help me getting started.. with it..

mhellman · ‎05-16-2007

You'll need the sensor licensed in order to install signature updates. They're pretty critical.

"whats the virtual sensor for ?"

In version 6, you can have a multiple virtual sensors. Each virtual sensor can have a unique signature policy, event action rules policy, and anomaly detection policy. You apply the virtual sensor to a physical or logical interface. Being new, I would recommend just working with the defaults for now (a single virtual sensor). Are you using the GUI to manage?

Zaid Farooqui · ‎05-16-2007

Hi,

well i used the cli initially to reimage the sensor and upgrade it to 6.0 ..

i ran the setup from the cli as well.

so i have both options...

what would u recommend. ?

any reading material that i should go about..

i was reading the IPS device manager 6.0 guide.

mhellman · ‎05-17-2007

Sounds like you're well on your way. The GUI is pretty much necessary to do some of the more complex configurations effectively.

cashqoo · ‎05-17-2007

What about "inline interface pair"? as well as "Inline VLAN Pair"?

mhellman · ‎05-18-2007

I'm not sure what you're asking.

Zaid Farooqui · ‎05-17-2007

i have 4 interfaces on my ASA :

1-inside sec-level 100 (connects the server farm in the head office)

2-outside sec-level 0 (used to connect to the internet router)

3-LAN_DMZ sec-level 100 (connects all uses LAN of the head office)

4-Branch_DMZ sec-level 100 (connects to the core router that has all the remote branches termination on it via dsl or p2p radio)

So like which interface(s) should i include in the virtual sensor(s)

also i can see 2 interfaces Gi0/0 and Gi0/1 when i run show interfaces brief command on the sensor .... which interface are theses ???

they the backpanel that connects sensor to the asa ?? or what ??

marcabal · ‎05-18-2007

Gi0/0 on the SSM is the external management port of the SSM itself. This interface is where the SSM's own IP is assigned.

Gi0/1 on the SSM is the internal backplane interface. All packets from the ASA will come in this interface.

The Gi0/1 interface is what you need to assign to vs0.

You do not directly assign any of the 4 ASA interfaces to the virtual sensor.

Instead you create one or more policies on your ASA that contain an entry of "ips inline" or "ips promiscuous" for one or more classes of traffic.

You then assign the policy either globally, or to 1 or more interfaces of the ASA.

If an "ips promiscuous" policy is used then the ASA will send a copy of the matching packets to the SSM's internal Gi0/1 interface.

If Gi0/1 is asssigned to vs0 then these copied packets will be monitored by vs0.

If an "ips inline" policy is used then the ASA will send the actual packet to the SSM's internal Gi0/1 interface. Where it will then be monitored by vs0 (assuming Gi0/1 was assigned to vs0). If no attack is detected then the packet is sent back to the ASA through Gi0/1 where the ASA can then complete whatever is needed and send on to the destination host. If an attack is detected, then depending on the sensor configuration the packet can be denied/dropped by the SSM in order to prevent attack packet from getting to the end destination machine.

With ASA version 7.2.x, you are limited to using a single virtual sensor on the SSM (vs0).

With a future 8.0 version of the ASA (not yet released) you will gain the ability to use multiple virtual sensors on the SSM (with IPS 6.0 on the SSM).

In that future version the "ips promiscuous" and "ips inline" configuration entries in the ASA policy have an additional "sensor " configuration option.

When this option is used the traffic would be sent to a specific virtual sensor that you name instead of vs0 where you assigned Gi0/1.

The packets would still be sent to the SSM on Gi0/1 but the ASA would append a special header to tell the SSM to monitor them with a specific virtual sensor instead of vs0 (unless of course you specifically named vs0).

Alternatively in 8.0 you coudl instead assign a virtual sensor to a context as it's default virtual sensor. Then all "ips inline" and "ips promiscuous" entries in the policies for that context would automatically send their packets to a specific virtual sensor without having to add "sensor " to the end of each context. It is sort of a short cut.

So what is a recommendation for the beginning user.

1) Go into the SSM CLI and run the setup command. When you come to the option for configuring virtual sensors you simply assign Gi0/1 to vs0.

2) Modify your existing ASA policy that is assigned globally. For each class of traffic that you want monitored add in the following configuration entry into the policy:

"ips promiscuous fail-open"

A Promiscuous policy is always best for beginners to tell you gain a better understanding of the SSM IPS code. Then later change it to an InLine policy.

The "fail-open" on the end tells the ASA to continue to pass traffic even if the SSM fails.

The other option "fail-close" would tell the ASA to not pass the traffic if the SSM failed. It only gets used in high security environments with mandates that all traffic must be IPS monitored before transmit. This is usually not the case in most commercial business environments.